Glitter Finance is a base layer technology focused on interoperability, liquidity movement and ease of use. The bridge provides an interoperability solution that serves as a base layer for layer-1 networks and DeFi protocols across multiple blockchain networks.
Glitter Finance engaged Ackee Blockchain to perform a security review of the Glitter EVM smart contracts with a total time donation of 4 engineering days in a period between May 2 and May 10, 2023.
METHODOLOGY
We began our review by using static analysis tools, namely Woke. We then took a deep dive into the logic of the contracts. For a local deployment, testing and fuzzing, we have involved Woke testing framework.
During the review, we paid special attention to:
- the possibility of double spending,
- detecting possible reentrancies in the code,
- ensuring access controls are not too relaxed or too strict
- cross-chain token handling,
- proper on-chain data validation.
SCOPE
The scope of the audit is EVM contracts of the protocol. Contracts work as an entry point for users and are responsible for locking/burning tokens on a source chain and releasing/minting tokens on the destination chain.
The audit has been performed on the commit 326f0fe and the scope was the following:
- BaseVault.sol
- LockReleaseVault.sol
- MintBurnVault.sol
- GlitterRouter.sol
During Revision 1.1, Glitter engaged Ackee Blockchain to perform a fix review on the given commit: 462ed5b.
FINDINGS
Here we present our findings.
Critical severity
No critical severity issues were found.
High severity
No high severity issues were found.
Medium severity
M1: Missing handling of a token shortage
M2: Problematic decimals
Low severity
L1: Vaults mapping logic
Warning severity
W1: Lack of data validation in deposit function
W2: Lack of emits in state- changing functions
Informational severity
I1: Missing parameters in NatSpec
CONCLUSION
Our review resulted in 6 findings, ranging from Info to Medium severity. The code is very clear and well-documented. Standard documentation is missing, but the code is self-explanatory. The code is also well-tested. A big part of the logic is in the backend code of the bridge protocol, which was not in the scope of this audit.
We recommended Glitter to:
- add stronger data validation,
- emit events for all state changes,
- address all other reported issues.
Ackee Blockchain’s full Glitter protocol audit report with a more detailed description of all findings and recommendations can be found here.
We were delighted to audit Glitter Finance and look forward to working with them again.
